We are implementing cross platform (Android, PHP) gplus oauth2 for user authentication, we have followed the steps which are suggested in this document.
Issue: After getting user info from google server, we may find user or create user depending upon our database result. We stuck after this step, how to proceed further communication to identify user ? should we transfer id_token or own generated api key. The issue with id_token is, it get expired after 3600 or 3900 seconds (not clear).
Following sequence diagram may be helpful to answer.
Related
I am working on the GMB API, facing some issues. I have implemented Google Oauth at frond-end and saving user listing in my DB. Now I want to run cron job in which I want to get those user`s listing insights. So issues are here
1: I can't find GMB API samples or doc regarding GMB stuff(I have read all google-api-php-client doc).
Here are GMB samples but it doest have PHP samples.
https://github.com/google/google-my-business-samples
2: Second thing is that I don't want to open consent(Google Account Selector Popup) to get the user's permission because its a backend process. So what type of process should I follow a) Oauth OR b)Service Account.
If I use the Oauth process then I have to save access_token in the database when the user first time gives permission at the front end of the website and uses that token as refresh token to get the new access token in PHP and call GMB APIs.
But the issue is that we have already registered 500+ users, so how I will get their access token because they are already done with google permissions.
I didn`t try yet with a service account.
I am using Laravel 5.7 version.
The scenario
So I am building an app that should display data from my Xero account to the users. Users should not be able to login via OAuth2 to my web app so that's why I need persistent auth token that is independent from the users login. The current API authentication implementation from Xero does not allow that and the token expires in 30 minutes so I need a way to do this somehow in the background or with any kind of persistent token (which is not available as I can see in their docs for Auth)
Stack
I am using Laravel with the package Xero Laravel and this one's using the XeroPHP package in its core as dependency. Currently I am using Postman to do refresh token requests and I am adding the token manually (for testing purposes of course). This should not be the case when it goes on production, though. So I need a way to somehow "store" or refresh the token globally for the whole app and using only my account as an Authorization to Xero.
Problem summary
My web app need to fetch data (invoices data in particular) from my Xero account and no OAuth tokenization is required for the users (since I am using the native Laravel Auth for this purpos) that are going to read this data in a GUI.
How should I accomplish this without OAuth2 (if there is any way) or how I can do this if only my account is the "global" one for the app?
The other comments are correct that there is an initial required step to have the user that you are calling API endpoints on behalf of to authorize your API application.
Once you have their valid token_set ( access_token, refresh_token, expiry, etc.. ) you can store that securely and continue making offline_access api calls on their behalf. Note that you must programmatically refresh the token_set at least once every 60 days for it to remain valid.
I'd also recommend checking out the Xero supported libraries for help getting started quickly:
https://github.com/XeroAPI/xero-php-oauth2
https://github.com/XeroAPI/xero-php-oauth2-starter
Thanks to #droopsnoot for linking the video explaining how this works:
https://www.youtube.com/watch?v=Zcf_64yreVI
I am building a web app for a booking platform and I am using oauth2 to use their API and authentificate users. My app is embedded in an other website named here 'X' that I am not in control. When the user click on my app, it loads https://localhost/?_account_id=12 in an iframe where _account_id=12 is its own account id in X website.
I am using the oauth2 authorization code flow so the user approves my app.
I am storing securely the refresh token provided by the authorization server.
I am storing in session the account_id parameter.
The authorization server doesn't support the famous prompt=none.
This is the first time I use oauth2 so maybe I didn't understand correctly how oauth2 works.
Since I can't only rely on the _account_id parameter because of security, I need to authentificate the user each time it connects to my app. Doing so, each time the session expires, the app prompted the user to approve my app.
With other apps available in X, I am never prompted to re-approve the apps. So when analysing them, the network developer tool of my browser lists this each time I connect to other apps :
204 https://other_app_provider/fr/admin?_account_id=12
302 https://other_app_provider/auth/?_account_id=12
302 https://authorization_server/oauth/authorize?_account_id=12&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope={SCOPES}&state={STATE}
302 https://other_app_provider/auth/bookingsync/callback?code={CODE}&state={STATE}
200 https://other_app_provider/admin
I repeat that there is no approval screen between the authorization and the callback.
My question : How to authentificate the user silently using the authorization code flow or the implicit flow ? In other terms, how to imitate the behavior described above ?
Thank you for answering !
Could I ask a few questions first - to see if I'm understanding the scenario:
Does the user login to the host app X first and your app then gets loaded as a plug-in?
Is this a federation scenario where different companies build the host and plug-in?
Do the host and plug-in use the same authorization server or are they different login systems with different user credentials.
Avoiding the consent prompt may be as simple as switching this setting off in the OAuth Client entry for your app in the Authorizatiom Server
It is worth being aware that OAuth logins in an iframe are often blocked due to clickjacking concerns and a more reliable option is to use a pop-up window for plug-in logins.
In some scenarios it can be very hard or impossible to achieve the desired behaviour of making the solution feel like a single integrated UI - but your requirement is becoming very common.
I've found the solution :
There was an option account_id in X authorization server not well documented :
Pre-Select The Account To Authorize
When calling your Admin URL, we pass the parameter _account_id. The value of this parameter can be used as the account_id parameter during the authorization process. Doing so will pre-select the account to authorize when using the Authorization Code Flow or Implicit Flow.
So I can imitate the behavior described in the question by passing account_id parameter in the authorization url.
Now, I understand the term Pre-Select by :
Check if the account owner is connected to the host app, select its account and silently authentificate the account owner in the app, if it's an already approved account.
If I didn't see it in the network developer tool, it was because they were provided by X, so maybe X use cookie/session to Pre-Select the account to authorize. I had to install third-party apps to see the account_id parameter in the authorization url.
Thank you for your answer !
I'm currently using the GAPI tool to extract date from my Google Analytics account using an OAuth 2.0 account created in the Google Developers Console. It works flawlessly except for one thing - every so often, the script will fail with the following message:
'GAPI: Failed to request report data. Error: "{"error":{"errors":[{"domain":"global","reason":"authError","message":"Invalid Credentials","locationType":"header","location":"Authorization"}],"code":401,"message":"Invalid Credentials"}}"
My assumption is that the Oauth 2.0 token is expiring, preventing further data access. I have been manually restarting the process so far, but it would be far more efficient to automatically refresh the token prior to expiration. If anyone knows the best way to accomplish this, I'd appreciate hearing it. Thanks.
I used to get all the network updates of a logged user but now this API is not working and giving the response "Network Access denied".
What do I have to do to access this API again? Or is it totally eliminated from Linkedin REST API?
According to their documentation;
[...] take affect and will be rolled out to the entire LinkedIn application base between May 12th - May 19th, 2015.
[...] Note that users with existing OAuth grants will have to re-authenticate due to the change in requested permissions.
Please take a look at their May Transition FAQ which states a few things;
OAuth 1.0a support is gone
Tokens expire after 60 days (this is unchanged, but thought I'd note it)
The upcoming changes will not affect how any of the APIs work (with one exception noted in point #2 below), only whether you will be able to call them any longer.
And you can find more resources here